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ABSTRACT 


We show how to construct a variety of “trapdoor” crypto- 
graphic tools assuming the worst-case hardness of standard 
lattice problems (such as approximating the length of the 
shortest nonzero vector to within certain polynomial fac- 
tors). Our contributions include a new notion of trapdoor 
function with preimage sampling, simple and efficient “hash- 
and-sign” digital signature schemes, and identity-based en- 
cryption. 

A core technical component of our constructions is an ef- 
ficient algorithm that, given a basis of an arbitrary lattice, 
samples lattice points from a discrete Gaussian probabil- 
ity distribution whose standard deviation is essentially the 
length of the longest Gram-Schmidt vector of the basis. A 
crucial security property is that the output distribution of 
the algorithm is oblivious to the particular geometry of the 
given basis. 


Categories and Subject Descriptors 


F.2.2 [Nonnumerical Algorithms and Problems]: Com- 
putations on discrete structures 
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Theory, Algorithms 
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1. INTRODUCTION 


Ever since the seminal work of Ajtai [3] connecting the 
average-case complexity of lattice problems to their com- 
plexity in the worst case, there has been an intriguing and 
fruitful effort to base cryptography (which requires secu- 
rity for random keys) on worst-case lattice assumptions. 
In addition to their unique theoretical niche, lattice-based 
schemes enjoy many potential advantages: their asymptotic 
efficiency and conceptual simplicity (usually requiring only 
linear operations on small integers); their resistance so far to 
cryptanalysis by quantum algorithms (as opposed to those 
based on factoring or discrete log); and the guarantee that 
their random instances are “as hard as possible.” 

Until very recently, the known constructions of such prim- 
itives were limited mainly to one-way and collision-resistant 
hash functions [3, 27, 17, 37, 40] and public-key encryp- 
tion [5, 51, 52]. It has been a longstanding open problem to 
give a “direct” construction of digital signatures having the 
simplicity and efficiency of other lattice-based primitives, 
even in the random oracle model.’ The early “GGH” signa- 
ture proposal of Goldreich, Goldwasser, and Halevi [28] was 
directly related to a certain lattice problem, but it lacked a 
security proof, and recently, Nguyen and Regev [43] showed 
how to recover the entire secret key (or its equivalent) from 
a transcript of signatures. 

Despite some recent advances in lattice-based cryptogra- 
phy (e.g., [49, 36]), many important cryptographic notions 
(that were long ago attained under other number-theoretic 
assumptions) still remain unrealized under lattice assump- 
tions. 


1.1 Overview of Results and Techniques 


Our main thesis in this work is that lattices admit natural 
and innate “trapdoors” that have a number of useful crypto- 
graphic applications. Going at least as far back as the GGH 
proposal, it was intuitively believed that a short basis of a 
lattice (i.e., a basis in which all the vectors are relatively 
short) could serve as such a trapdoor. Our central contribu- 
tion is in showing how to use a short basis in a theoretically 
sound and secure way. 

As a basic tool, we first construct a collection of trapdoor 
functions having some special properties. The functions are 
surjective and many-to-one, (i.e., every output value has sev- 


‘Indirect (but inefficient) constructions are of course 
possible by a generic transformation from universal one-way 
hash functions [42], or (in the random oracle model) by 
applying the Fiat-Shamir heuristic [24] to lattice-based 
identification schemes [41]. 


eral preimages), and the trapdoor inversion algorithm sam- 
ples from among all the preimages under an appropriate dis- 
tribution. Building upon this foundation, we then give direct 
lattice-based constructions of richer cryptographic notions, 
such as signature schemes and identity-based encryption. 

A core component of all our constructions is an efficient 
algorithm that samples from a so-called discrete Gaussian 
probability distribution over an arbitrary lattice, given an 
appropriate basis. We believe that the sampling algorithm 
may have additional applications in complexity and cryp- 
tography. 


1.1.1 Gaussian Sampling Algorithm 


Because it is the foundation of our cryptographic results, 
we start by summarizing the Gaussian sampler. The distri- 
bution from which it samples is called a discrete Gaussian 
over an n-dimensional lattice A.? Under such a distribution 
Dy,s,c, the probability of each vector v € A is proportional 
to exp(—7||v — ¢||?/s?), where c € R” and s > 0 are pa- 
rameters of the distribution akin to its mean and standard 
deviation, respectively. Discrete Gaussians over lattices are 
standard in mathematics (see, e.g., [8, 9]), and have recently 
proved to be an exceedingly useful analytical tool in study- 
ing the computational complexity of lattice problems [1, 2, 
45], particularly their worst-case/average-case connections 
(e.g., [51, 40, 52]). 

The sampling algorithm takes as input the desired pa- 
rameters c € R” and s > 0, and an arbitrary basis B = 
{bi,..., bn} of the lattice A. The output is a lattice vector 
distributed according to Da,s,c, as long as the parameter s 
exceeds the length of all the Gram-Schmidt? vectors b; of 
the basis B (times a small extra factor). In other words, 
the “width” of the sampled Gaussian is determined by the 
quality of the input basis. As an alternate perspective, one 
can view the sampler as a randomized decoder that out- 
puts a lattice vector relatively close to c. A key property 
is that the output distribution depends only on the length 
of B’s Gram-Schmidt vectors, and is otherwise oblivious to 
the particular geometry of the basis B. 

The algorithm itself is actually a simple randomized vari- 
ant of Babai’s “nearest-plane” algorithm [7], which was orig- 
inally proposed by Klein [32] in another context. Instead of 
determinstically rounding to the nearest plane in each itera- 
tion, the algorithm simply chooses a plane with a probabil- 
ity determined by its distance from the target point. While 
the algorithm itself is not new, we present a (nearly) exact 
analysis of its output distribution using a lattice quantity 
called the smoothing parameter, as defined by Micciancio 
and Regev [40]. In the process, we also bound the smooth- 
ing parameter in terms of a quantity that we call the Gram- 
Schmidt minimum; this improves upon a prior bound in- 
volving the nth successive minimum [40]. 

As an additional application, in the full version [26] we 
use the sampling algorithm to give conceptually simpler and 
slightly tighter worst-case to average-case reductions for lat- 
tice problems, building on prior Gaussian techniques [40]. 


?An n-dimensional lattice is the set of all integer linear 
combinations c1bi +---+cnbn (where each c; € Z) of some 
linearly independent basis vectors bi,...,bn € R”. 


3The Gram-Schmidt vectors are defined iteratively: 


bı = bi, and b; is the component of b; orthogonal to 
span(bi,...,b;-1) for i = 2,...,n. In particular, note that 
Ibil] < || bil]. 
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1.1.2 Cryptographic Constructions 


Our cryptographic results are summarized as follows: 


e We propose a new abstraction called trapdoor func- 
tions with preimage sampling, and present a construc- 
tion whose security is based on the presumed worst- 
case hardness of standard lattice problems (and whose 
efficiency is comparable to prior lattice-based crypto- 
graphic functions). 


e We show that our new abstraction can securely serve as 
a black-box replacement for trapdoor permutations in 
several prior signature schemes, including those that 
follow the “hash-and-sign” paradigm (in the random 
oracle model) [11, 12, 20], and a construction of Bel- 
lare and Micali (in the plain model) [10]. In particular, 
we obtain simple and efficient “hash and sign” lattice- 
based signatures, in the random oracle model. 


e We construct an asymptotically efficient identity-based 
cryptosystem (in the random oracle model, or under an 
“interactive” assumption) based on learning with er- 
rors (LWE), a bounded-distance decoding problem on 
lattices that generalizes the well-known “learning par- 
ity under noise” problem. As shown by Regev [52], the 
average-case hardness of LWE can be based on the pre- 
sumed worst-case hardness of standard lattice prob- 
lems for quantum algorithms. 


e We present some trapdoor techniques for the LWE prob- 
lem and cryptosystems based upon it. A concurrent 
work [48] applies these techniques to instantiate a gen- 
eral framework for efficient and universally composable 
oblivious transfer. 


The worst-case problems underlying our schemes are to 
approximate the shortest independent vectors problem SIVP 
or the decision version of the shortest vector problem GapSVP 
to within small polynomial (in the dimension n) factors. 
Known classical (and quantum) algorithms for these prob- 
lems require time and space that are exponential in n [6], 
and known polynomial-time algorithms obtain approxima- 
tion factors that are essentially exponential in n [33, 55]. 

In all of our constructions, we need to generate a “hard” 
public basis B (chosen at random from some appropriate 
distribution) of some lattice A, together with a “good” trap- 
door basis T of A whose Gram-Schmidt vectors are relatively 
short (this is used as advice for the sampling algorithm). 
Our preferred approach comes from a little-known paper of 
Ajtai [4], who described a way to generate such bases so that 
the random public basis has worst-case hardness. As far as 
we know, our results are the first applications of Ajtai’s gen- 
erator in cryptography or otherwise. 


Trapdoor functions with preimage sampling. 

The basic object underlying our higher-level cryptographic 
tools is a collection of one-way (and even collision-resistant) 
trapdoor functions. Intuitively, evaluating a public function 
f = fs (where B is the public basis for A) on a random in- 
put corresponds to choosing a lattice point v € A “uniformly 
at random” and perturbing it by some relatively short error 
term e, yielding a point y = v+e.* Inverting y corresponds 


“Of course, as an infinite set, the lattice A cannot support 
a uniform distribution. Formally, f applies the standard 


to decoding it to any sufficiently nearby lattice point v’ € A 
(not necessarily the original v; the error term is large enough 
that many preimages are possible). Given the trapdoor basis 
T, it is easy to decode y using the sampling algorithm. But 
given only the public basis B, the decoding problem is hard 
(on the average, for the particular distribution of B and y). 

Our trapdoor functions have two crucial properties for 
security in cryptographic applications. First, the random 
input (the error term e) is drawn from a relatively narrow 
Gaussian distribution, and under this distribution, the out- 
put y is statistically close to uniform over the range. Sec- 
ond, the trapdoor inversion algorithm does not just find an 
arbitrary preimage of y, but actually samples from among 
its preimages under the appropriate conditional distribution, 
i.e., a discrete Gaussian over A. In other words, the inverter 
samples an input e from the Gaussian input distribution, 
conditioned on the event f(e) = y. 

The properties described above imply that there are two 
(nearly) equivalent ways of choosing a pair (e,y = f(e)): 
either choose e from the input distribution and compute 
y = f(e), or choose y uniformly at random and sample e 
from f~'(y). As we shall see, these properties make our 
trapdoor functions “as good as” trapdoor permutations in 
certain applications. 


Signature schemes. 

The cryptographic literature contains several existentially 
unforgeable digital signature schemes based on trapdoor per- 
mutations. Using the “hash-and-sign paradigm” [22, 53] in 
the random oracle model, we have the simple and efficient 
full-domain hash (FDH) scheme [11] and its variants [12, 20]. 
In the plain model, there is a tree-based scheme of Bellare 
and Micali [10] that, while somewhat inefficient, has signif- 
icantly shorter signatures than generic constructions based 
on one-way or universal one-way functions [42, 54]. 

We show that all of the above permutation-based signa- 
ture schemes can also be instantiated using (as a black box) 
any collection of trapdoor functions with preimage sampling, 
and retain their security analyses in their respective models 
(though subtleties can arise when signing the same message 
more than once). In fact, by relying on the collision re- 
sistance of our functions, we are able to give tight security 
reductions for FDH (and its variants), whereas reductions 
for plain FDH based on trapdoor permutations are inher- 
ently loose [20]. Using similar techniques, we also give a 
much tighter reduction for the scheme of Bellare and Micali. 

Concretely, our hash-and-sign schemes represent a more 
theoretically sound way of instantiating the (insecure) GGH 
proposal [28] and its variants, such as NTRUSign [30]. In- 
formally, in these schemes a message is hashed to a point in 
some region of space, and its signature is essentially a nearby 
lattice point, which is found using a “good” secret basis. Our 
schemes have two main differences: first, they are based on 
random lattices that enjoy worst-case hardness; second and 
more importantly, the signatures are generated by a random- 
ized decoding algorithm whose output distribution is oblivi- 
ous to the geometry of the secret basis. (The original GGH 
proposal is insecure precisely because its signatures leak in- 
formation about the “shape” of the trapdoor basis [43].) 


technique of reducing a random error term e modulo the 
public basis B. 
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Trapdoors for learning with errors. 

Our next two applications are centered around the learn- 
ing with errors (LWE) problem, as defined by Regev [52]. 
We observe that LWE is essentially a bounded-distance de- 
coding problem on the dual lattice A* of A, where as above, 
A is a random lattice having public basis B (and trapdoor 
basis T). The goal of LWE is to decode a randomly-chosen 
lattice vector w € A* that has been perturbed by some small 
amount of noise. The perturbation is small enough that w 
is indeed the vector in A* closest to the perturbed point p. 

In one version of Regev’s LWE-based cryptosystem [52], 
the same dual lattice A* is shared among all users, and pub- 
lic keys are perturbed points p as above. Security is demon- 
strated by showing that such public keys are indistinguish- 
able from so-called “messy” public keys, whose ciphertexts 
carry no information about the encrypted messages. As in 
prior lattice-based cryptosystems [5, 51], this is done using 
a non-constructive probabilistic argument. 

A concurrent work of Peikert, Vaikuntanathan, and Wa- 
ters [48] defines a general framework for efficient oblivious 
transfer, and instantiates it using cryptosystems that admit 
messy public keys. However, the framework requires a way 
to identify messy keys efficiently, given some master trap- 
door for the cryptosystem. In this work, we give an explicit 
geometric description of messy keys in Regev’s cryptosys- 
tem, and a way of efficiently identifying them. Essentially, 
a public key p is messy if the minimum distance of the dual 
lattice A* remains large after adjoining p to it. To identify 
such keys, we use the Gaussian sampling algorithm with 
the trapdoor basis T of A to implement the preprocessing 
phase of an algorithm of Aharonov and Regev [2]. Using an 
extension of this algorithm due to Liu, Lyubashevsky, and 
Micciancio [34], we also show how to extract the secret key 
w € A“ from any properly-generated public key p, i.e., we 
show how to solve LWE using a master trapdoor. 

(Due to space constraints, we omit the details of the tech- 
niques described above, and refer the interested reader to 
the full version [26].) 


Identity-based encryption. 

In identity-based encryption (IBE), first envisioned by 
Shamir [56], any string can serve as a public key, and se- 
cret keys are administered by an authority who knows some 
master secret key of the system. Thus far, IBE has been 
realized under various assumptions relating to groups with 
bilinear pairings (e.g., [14, 57]), and under the quadratic 
residuosity (QR) assumption in the random oracle model or 
an “interactive” QR assumption in the plain model [18, 15]. 

Our final application is an efficient IBE based on LWE in 
the random oracle model (or in the plain model under an in- 
teractive LWE assumption). Although secret keys can be ex- 
tracted from public keys using a master trapdoor for Regev’s 
cryptosystem, obtaining IBE is still not entirely straightfor- 
ward. Essentially, the problem is that well-formed public 
keys are exponentially sparse, because they consist only of 
points that are very close to the shared lattice A*. Hence, 
it is difficult to see how a hash function or a random oracle 
could map identities to valid public keys. 

We circumvent this problem by constructing a “dual” of 
Regev’s public-key cryptosystem, in which the key gener- 
ation and encryption algorithms are effectively swapped: 
public keys belong to the “primal” space containing A, and 
encryption is performed in the “dual” space containing A”. 


In the resulting system, every point of the primal space is a 
valid public key having many equivalent secret keys, which 
are simply the nearby lattice points in A. Using the Gaus- 
sian decoder with the trapdoor basis T of A, the author- 
ity can extract a (properly-distributed) secret key from any 
public key. (In fact, extracting a secret key for an iden- 
tity is entirely equivalent to signing that identity under our 
full-domain hash signature scheme.) 

Because it uses a trapdoor for extracting secret keys, our 
IBE is structurally closest to those based on quadratic resid- 
uosity [18, 15]. It is remarkably efficient, at least asymptoti- 
cally: for messages of length n logn (where n is the security 
parameter), the amortized encryption and decryption times 
are only O(n) per message bit, and the ciphertext expan- 
sion factor can be made as small as O(1). One possible 
drawback of our system is that the master public key and 
individual secret keys are O(n”) bits. As a point of com- 
parison, the recent QR-based IBE of Boneh, Gentry, and 
Hamburg [15] has essentially optimal additive ciphertext ex- 
pansion of O(n) bits (where n is the size of the master public 
modulus N = pq), but encryption and decryption time are 
O(n*) and O(n?) per message bit, respectively. 


1.2 Related Work 


The randomized nearest-plane algorithm we use for Gaus- 
sian sampling was originally proposed by Klein [32] for solv- 
ing a variant of the closest vector problem, in which the tar- 
get point is “unusually close” to the lattice. Klein’s analysis 
is focused on the case where the parameter s is approxi- 
mately the length of the shortest Gram-Schmidt vector of 
the input basis; for such parameters, the output distribution 
is concentrated on the unique closest lattice vector, but may 
be quite far from a discrete Gaussian. Recently, Nguyen and 
Vidick [44] showed that the output distribution is “quasi- 
Gaussian” when s is the length of the longest Gram-Schmidt 
vector; our analysis (nearly) subsumes theirs. 

Independently of our work, Lyubashevsky and Miccian- 
cio [36] present a direct lattice-based construction of a one- 
time signature scheme that can sign O(n)-bit messages in 
only O(n) time. The efficiency of the scheme and its se- 
curity proof are both based on special classes of so-called 
ideal lattices that have extra algebraic structure, studied 
in [38, 46, 35, 47]. A full signature scheme having compara- 
ble asymptotic efficiency is also obtained by incorporating 
the one-time scheme into a standard tree structure, though 
the signing algorithm must keep state proportional to the 
number of signed messages (barring a pseudorandom func- 
tion of comparable efficiency). 

Several works have given tight security reductions for FDH- 
like signatures based on variants of trapdoor permutations or 
specific number-theoretic assumptions. Coron [19] improved 
the exact security of FDH for its concrete instantiation with 
RSA. Dodis and Reyzin [23] presented tight reductions for 
probabilistic FDH (PFDH) based on any collection of claw- 
free pairs of trapdoor permutations. Katz and Wang [31] 
gave a tight reduction based on claw-free pairs for PFDH 
with only one bit of salt. Bernstein [13] recently gave a tight 
reduction for a concrete instantiation of FDH with Rabin- 
Williams signatures. We remark that claw-free pairs can be 
viewed as a special case of collision-resistant trapdoor func- 
tions with preimage sampling from n+1 bits to n bits, where 
the extra input bit indicates which of the two permutations 
is evaluated on the remaining bits. 


Using entirely different techniques, Peikert and Waters [49] 
have constructed a complementary collection of injective 
trapdoor functions based on LWE (among other assump- 
tions). Their TDFs imply several cryptographic primitives, 
most notably chosen ciphertext-secure encryption, but have 
exponentially-sparse images that seem less well-suited to- 
ward applications like signature schemes and IBE. From a 
purely aesthetic point of view, our trapdoor functions also 
correspond more directly to “natural” lattice problems. 


1.3 Open Problems 


Many interesting questions arise from our work. The most 
important problem, in our view, is to construct a simple 
and efficient lattice-based signature scheme without using 
tree structures or a random oracle. Even under other strong 
number-theoretic assumptions, only a few such schemes are 
known (e.g., [25, 21]), so this problem appears quite chal- 
lenging. A related problem is to construct an IBE without 
a random oracle under standard lattice assumptions (recall 
that our IBE can be based on a non-standard “interactive” 
LWE assumption in the plain model). 

Another important direction is to obtain more efficient 
cryptographic schemes based on ideal (e.g., cyclic) lattices, 
as in prior works [38, 46, 35, 47, 36]. Most of our techniques 
apply equally well to ideal lattices; two main technical hur- 
dles are to generate appropriate random lattices with good 
trapdoor bases, and to demonstrate a hard decoding prob- 
lem analogous to LWE. 

The concrete security of our schemes (i.e., the approxi- 
mation factor obtained by the worst-case/average-case re- 
duction) is determined by the Gaussian parameter of the 
sampling algorithm, which in turn depends on the quality 
of the trapdoor basis. It is therefore important to optimize 
Ajtai’s trapdoor generator [4] and its analysis, as well as to 
seek other Gaussian sampling algorithms that might work 
for smaller parameters s (perhaps given different advice). 

A final interesting problem is to construct a lattice-based 
IBE having security under chosen-ciphertezt attack (CCA 
security). The techniques of [49] for obtaining CCA security 
in lattice-based public-key cryptosystems are quite different 
from ours, and do not appear to be immediately applicable 
to our IBE. Combining the two approaches seems to be a 
worthy goal. 


2. PRELIMINARIES 


For a positive integer n, [n] denotes {1,...,n}. The nat- 
ural security parameter throughout the paper is n, and all 
other quantities are implicitly functions of n. We extend any 
real function f(-) to a countable set A by defining f(A) = 
Yea (2): 

By convention, vectors are in column form and are written 
using bold lower-case letters, e.g. x. The ith component of 
x will be denoted by x;. Matrices are written as bold capital 
letters, e.g. X, and the ith column vector of a matrix X is 
denoted x;. The length of a matrix is the norm of its longest 
column: ||X|| = max;||x,||. For convenience, we sometimes 
view a matrix as simply the set of its column vectors. 

The statistical distance between two distributions X and 
Y over a countable domain D is defined to be 


3 >, IXa) - Y(d)|. 


We say that two distributions (formally, two ensembles of 


distributions indexed by n) are statistically close if their sta- 
tistical distance is negligible in n. 

For signature schemes, we use the standard notion of 
strong existential unforgeability under chosen-message at- 
tack [29]. For identity-based encryption (IBE), we use the 
standard definition of security under a chosen-plaintext and 
chosen-identity attack [14]. In brief, an adversary is given 
access to an oracle that returns secret keys for any input 
identity, and attempts to distinguish between encryptions 
of two messages of its choice, encrypted under an identity of 
its choice (for which it may not query the oracle). 


2.1 Lattices 


Let B = {bi,..., bn} C R” consist of n linearly indepen- 
dent vectors. The n-dimensional lattice? A generated by the 
basis B is 

A=L£(B)={Be=) > 


i- bi i cEZ"}. 


i€[n] A 

The minimum distance 1(A) of a lattice A is the length 
(in the Euclidean 2 norm, unless otherwise indicated) of 
its shortest nonzero vector: Ai(A) = minozxea||x||. More 
generally, the ith successive minimum 2;(A) is the smallest 
radius r such that A contains i linearly independent vec- 
tors of norm at most r. We write Af to denote the mini- 
mum distance measured in the æ% norm (which is defined 
as ||X||oo = max |z;|). 

A lattice is a discrete additive subgroup of R”. Therefore 
for lattices A’ C A, the quotient group A/A’ (also written 
A mod A’) is well-defined as the additive group of distinct 
cosets v + A’ for v € A, with addition of cosets defined in 
the usual way. 

For any (ordered) set S = {s1,...,Sn} C R” of linearly 
independent vectors, let S = {Si,...,Sn} denote its Gram- 
Schmidt orthogonalization, defined iteratively in the follow- 
ing way: si = si, and for each i = 2,...,n, Si is the 
component of s; orthogonal to span(si,...,Si—1). Clearly, 
\|Si|| < ||s:||. The following useful lemma says that any full- 
rank set of vectors in a lattice can be efficiently converted to 
a basis of the lattice, without increasing the lengths of the 
Gram-Schmidt vectors. 


LEMMA 2.1 ([39, LEMMA 7.1, PAGE 129]). There is a 
deterministic polynomial-time algorithm that, given an ar- 
bitrary basis B of an n-dimensional lattice A = L(B) and a 
full-rank set of lattice vectors S C A (in non-decreasing or- 
der by length), outputs a basis T of A such that ||t;|| < ||sil| 
for alli € [n]. 


The dual lattice of A, denoted A*, is defined to be A* 
{x €R” : Yv EA,(x,v) €Z}. By symmetry, it can be 
seen that (A*)* = A. If B is a basis of A, it can be seen that 
the dual basis B* = (B~')” is in fact a basis of A*. The 
following standard fact relates the Gram-Schmidt orthog- 
onalizations of a basis and its dual (a proof can be found 
in [50, Lecture 8}). 


LEMMA 2.2. Let {bi,...,bn} be an (ordered) basis, and 
let the ordered basis {dn,...,di} be its dual in reversed or- 
der (i.e., di = b*_;41). Then d; = b;/||bil|? for all i € [n]. 


>Technically, this is the definition of a full-rank lattice, 
which is all we will be concerned with in this work. 
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For completeness, we recall two standard worst-case ap- 
proximation problems on lattices. In both problems, y = 
y(n) is the approximation factor. 


Definition 1. An input to the shortest (nonzero) vector 
problem GapSVP., is a basis B of a full-rank n-dimensional 
lattice. It is a YES instance if A1(£(B)) < 1, and is a NO 
instance if A1(£(B)) > y(n). 


Definition 2. An input to the shortest independent vec- 
tors problem SIVP, is a full-rank basis B of an n-dimensional 
lattice. The goal is to output a set of n linearly independent 
lattice vectors S C £(B) such that ||S|| < y(n) - An(£(B)). 


2.2 Gaussians on Lattices 


Our review of Gaussian measures over lattices follows the 
development by prior works [51, 2, 40]. For any s > 0 define 
the Gaussian function on R” centered at c with parameter s: 


Vx ER”, ps,e(x) = exp(—n||x — l|/s*). 


The subscripts s and c are taken to be 1 and 0 (respectively) 
when omitted. 

For any c € R”, real s > 0, and n-dimensional lattice A, 
define the discrete Gaussian distribution over A as: 


Ps,c(X) 
Vx € A, DAs (x) = — : 
Ane) = Fn) 


(As above, we may omit the parameters s or c.) Note that 
the denominator in the above expression is merely a nor- 
malization factor; the probability Da,s,-(x) is simply pro- 
portional to ps,c(x). 

Micciancio and Regev [40] proposed a lattice quantity 
called the smoothing parameter: 


Definition 3. For any n-dimensional lattice A and positive 
real € > 0, the smoothing parameter ne(A) is the smallest 
real s > 0 such that p;/,(A*\{O}) < €. 


In this paper we use two bounds on the smoothing param- 
eter. The first relates the smoothing parameter of a lattice 
to the minimum distance of its dual lattice, in the læ norm. 


LEMMA 2.3 ([45]). For any n-dimensional lattice A and 
real € > 0, we have 


VJ/log(2n/(1 + 1/e))/7 
ne(A) < XE (A*) ; 


Then for any w(ylogn) function, there is a negligible e(n) 
for which ne(A) < w(vlogn)/AT (A*). 


The second bound on the smoothing parameter relates the 
smoothing parameter to the longest Gram-Schmidt vector in 
any basis of the lattice; see Section 3. 

We now state some facts regarding discrete Gaussians that 
apply when the parameter s exceeds the smoothing param- 
eter of the lattice. 


LEMMA 2.4 ([40]). Let A be any n-dimensional lattice. 
Then for any e € (0,1), s > n(A), and c € R”, we have 


Ps,e(A) € [FFS H ps(A). 


LEMMA 2.5 ([40, Lemma 4.4]). For any n-dimensional 
lattice A, c € span(A), real e € (0,1), and s > (A), 


[Ix — el] > svn] < 1-27". 


Pr 
x~Da,s,c 


LEMMA 2.6 ([46]). For any n-dimensional lattice A, c € 
R”, € >0, s > 2n.(A), and x € A, we have 


Dajs,e(X) < ite LION, 


Then fore < i, the min-entropy of Das, is at least n — 1. 


2.3 Learning with Errors 


We now review the learning with errors problem [52]. For 
any a > 0, the continuous Gaussian distribution Da has 
density function exp(—rz°/a?)/a for all x € R. For a pos- 
itive integer q, define Ya to be the distribution on Zq ob- 
tained by taking a sample from D,.., rounding to the nearest 
integer, and reducing modulo q. 

For an integer q > 2 and some error distribution x over 
Zq, a positive dimension n € Z, and a vector s € Zg, As,x 
is the distribution on Z? x Zq of the variable (a, as + 2) 
where a — Z@ is uniformly random and x — x are inde- 
pendent, and all operations are performed in Z4. The goal 
of the (average-case) learning with errors problem LWE,,,x is 
to distinguish (with nonnegligible probability) between the 
distribution Ag, for some uniform (secret) s — Zj and the 
uniform distribution on Z% x Z,, via oracle access to the 
given distribution. 

Regev proved that for certain moduli q and error distribu- 
tions x, LWE,,, is as hard as approximating standard lattice 
problems in the worst case, using a quantum algorithm. 


PROPOSITION 2.7 ([52]). Let a = a(n) € (0,1) and let 
q = 4q(n) be a prime such that q-a > 2,/n. If there exists an 
efficient (possibly quantum) algorithm that solves LWE, ,; 
then there exists an efficient quantum algorithm for approxi- 
mating SIVP and GapSVP in the worst case to within O(n/a) 
factors. 


3. SMOOTHING PARAMETER BOUND 


Here we give a new bound on the smoothing parameter 
relative to a certain lattice quantity. For a lattice A, define 
the Gram-Schmidt minimum as 


bl(A) = min||B|| = min max||b;||, 
B B i€[n] 


where the minimum is taken over all (ordered) bases B of 
A. (This definition is equivalent to one given by Cai [16].) 
The definition is restricted to bases without loss of gener- 
ality, because Lemma 2.1 implies that for any full-rank set 
S C A, there is a basis T of A such that ||T|| < ||S|| < ||S]]. 


LEMMA 3.1. For any n-dimensional lattice A and real € > 
0, we have 


< b(A) - \/log(2n(1 + 1/e))/r. 


me(A) 
Then for any w(/logn) function, there is a negligible e(n) 


for which ne(A) < b(A) - w(/logn). 
LEMMA 3.2. For any n-dimensional lattice A, 


Ai (A) < bA) < An(A) < Vn- b(A). 


Furthermore, the latter inequality is tight up to some con- 
stant factor, i.e., there exists a family of lattices {An}nen 


such that An is an n-dimensional lattice and An(An) > Q(/n)- 


bI(An). 


In particular, because bI(A) < An(A) by Lemma 3.2, the 
bound from Lemma 3.1 on the smoothing parameter is at 
least as strong as a prior one relating it to An [40, Lemma 
3.3] (and by the last part of Lemma 3.2, the new bound can 
be up to an 2(./n) factor tighter). 

We now prove Lemma 3.1; the proof of Lemma 3.2 is 
rather routine, so we defer it to the full version [26]. 


_PROOF OF LEMMA 3.1. Let B be a basis of A such that 
||B|| = b(A). By applying rigid rotations and reflections to 
the lattice A (resulting in corresponding transformations of 
the dual lattice A*), we may assume without loss of general- 
ity that the orthogonal Gram-Schmidt vectors b; are parallel 
to the standard basis vectors e; € R” (respectively). This 
transformation does not affect the value of the smoothing 
parameter 7-(A), because it is defined with respect to the 
Gaussian measure p;/;(A*\{0}), which is invariant under 
rotations and reflections. y 

By Lemma 2.3, it suffices to show that A?°(A*) > 1/bl(A). 
Let {dn,...,di} be the dual basis of B in reversed or- 
der, i.e., d; = bý—i+ı;- By Lemma 2.2, we see that for all 
i € [n], the Gram-Schmidt vector di = en—i+1/||bi||. Now 
let v € A* be an arbitrary nonzero dual lattice vector. We 
have v = cndn +- - cıdı for some integer coefficients c; that 
are not all zero; let į € [n] be the smallest index such that 
ci is nonzero. Because 


Cn-i+1 
,di4i1) = +span(ei,.. 


d; € d;+span(dn, she > 
[b|| 


< €n—i), 


the (n— i+ 1)th component of v is vn—i+1 = ci /||b:]|, which 
implies ||v||o<o > |e:| /||bi|| > 1/61(A). We conclude that 
AT (A*) > 1/b1(A), as desired. 


4. SAMPLING DISCRETE GAUSSIANS 


Here we show how to use an arbitrary basis B to sample 
efficiently from the discrete Gaussian distribution Da,s,c, for 
any s greater than ||B]|| (times a small factor). In particular, 
it suffices to have an appropriately short full-rank set of lat- 
tice vectors S C A, because by Lemma 2.1 we can efficiently 
convert it into a basis B such that ||B|| < ||S|| < ||S]]- 

As a first attempt, consider an algorithm that first sam- 
ples from a continuous Gaussian with parameter s, and 
then uses B to “round off” the sampled point to a relatively 
nearby lattice point. In fact, Regev applied this exact strat- 
egy in the “bootstrapping” step of his reduction [52], using 
an LLL-reduced basis and a Gaussian parameter s that was 
an exponential factor larger than the basis length ||B||. Un- 
fortunately, this strategy does not work so well when s is a 
small multiple of the basis length. Even when A is a one- 
dimensional lattice, e.g., the set of integers Z C Rt, the sta- 
tistical distance between the discrete Gaussian and the dis- 
tribution induced by the rounding scheme is non-negligible. 

Instead of using continuous distributions, we show how to 
sample “directly” from a lattice under the desired discrete 
Gaussian distribution. Even in the one-dimensional case, 
this requires some care: the support of the distribution is 
infinite, and even a close approximation to it may not have a 
succinct representation (e.g., when the parameter s is large). 


THEOREM 4.1. There is a probabilistic polynomial-time 
algorithm that, given a basis B of an n-dimensional lattice 
A = L(B), a parameter s > ||BI| -w(/logn), and a center 
c € R”, outputs a sample from a distribution that is statis- 
tically close to Da,s,c. 


We first define the subroutine SampleZ, which samples 
from the discrete Gaussian Dz,s,- over the one-dimensional 
integer lattice Z. Let t(n) > w(./logn) be some fixed func- 
tion, say, t(n) = logn. SampleZ uses rejection sampling, and 
works as follows: on input (s,c) and (implicitly) the security 
parameter n, choose an integer x — Z = ZM[c—s-t(n),c+s- 
t(n)] uniformly at random. Then with probability ps(a—c) € 
(0, 1], output x, otherwise repeat. For lack of space, we defer 
the proof of the following lemma to the full version [26]. 


LEMMA 4.2. For any 0 < e < exp(—7), any s > n-(Z) 
and c € R, and any w(logn) function, SampleZ terminates 
within t(n) - w(log n) iterations with overwhelming probabil- 
ity, and its output distribution is statistically close to Dz,s,c. 


We now describe a randomized nearest-plane algorithm, 
called SampleD, that samples from a discrete Gaussian D4,s,e 
over any lattice A. The input to SampleD is an (ordered) 
basis B of an n-dimensional lattice A, a parameter s > 0, 
and a center c € R”. We describe the algorithm as if it has 
access to an oracle that samples exactly from Dz, s, for any 
desired s’ > 0 and c’ € R. SampleD proceeds as follows: 


1. Let v, — 0 and cn — c. For i—n,...,1, do: 


(a) Let ci = (ci, b;)/(bi, bi) € R and s, = s/||bi|. 
(b) Choose z; ~ Dzs! (this is the only step that 
differs from the nearest-plane algorithm). 


(c) Let ci—1 + c; — zib; and let vi-y — vi + zibi. 
2. Output vo. 


Assuming scalar operations take unit time, the running 
time of the algorithm is O(n”) plus the running time of the 
n oracle calls. By construction, the output of SampleD is 
always a lattice vector. 

Due to lack of space, we must defer the full proof of 
Theorem 4.1 to the full version. The main idea is that 
the output probability of each lattice vector v € L(B) is 
ps,c(v)/TI, Ps’, (Z). Because s; > w(/logn) exceeds the 
smoothing parameter of Z, the terms in the denominator 
are essentially independent of the c, variables. It follows 
that the denominator is essentially the same quantity for all 
v € £(B), and the probability of outputting v is propor- 
tional to ps,e(v), as desired. 


5. TRAPDOORS FOR HARD LATTICES 
5.1 Hard Random Lattices 


We start by describing a certain family of “random” lat- 
tices that, roughly speaking, enjoy worst-case hardness. Let 
A € Zj*™ for some positive integers n,m, q. In this work 
(as in prior ones), n is the natural security parameter and all 
other variables are functions of n; for example, m = m(n) is 
typically O(n log n), and the modulus q = q(n) is some small 
polynomial, e.g., O(n®). Define the full-rank m-dimensional 
integer lattice consisting of those integer vectors that are 
“orthogonal” (modulo q) to the rows of A: 


A*(A) = {e€ Z” : Ae=0 mod q}. 


In the terminology of coding theory, A is the “parity check” 
matrix for the lattice A+(A). When A is implicit from con- 
text, we sometimes omit it and just write At. 
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An important fact we use throughout this section is that 
the quotient group (Z™/A*) and the set of syndromes 


{u = Ae mod q : e€ Z”} C Z9 
are in bijective correspondence, via the mapping (e+A*) mR 
Ae mod q. In other words, computing the syndrome Ae mod 
q for some e € Z”™ is equivalent to reducing e modulo the 
lattice A1(A). 

We now assert a few important facts about these random 
lattices that will be used in this section. The proofs are 
deferred to the full version [26]. 


PROPOSITION 5.1. Letn and q be positive integers with q 
prime, and let m > 2nlgq. Then for all but a 2q~” fraction 
of all A € ZZ*™ and for any s > w(/logm), we have: 


1. The subset-sums of the columns of A generate Zg ; i.e., 
for every syndrome u € Zù there is ane € {0,1}” 
such that Ae = u mod q. 


2. Fore ~ Dzm s, the distribution of the syndrome u = 
Ae mod q is statistically close to uniform over Zg. 


3. For fixed u € Zg and an arbitrary solution t € Z™ 
to At = u mod q, the conditional distribution of e ~ 
Dzm s given Ae = u mod q is exactly t + Das s, +t- 


The following problem is related to the shortest vector 
problem on the family of lattices defined above. 


Definition 4. The (homogeneous) small integer solution 
problem SIS is as follows: given an integer q, a matrix 
A € Zj*"™, and a real 8, find an nonzero integer vector 
e € A+ (A) such that |lell2 < 2. 

For functions q(n), m(n), and G(n), SISgm,g is the en- 
semble over instances (q(n), A, 8(n)) where A € Ze is 
uniformly random. 


By a pigeonhole argument on the values Ae mod q for 
e € {0,1}, one can show that SIS always admits a solution 
in {0,+1}” for m > 2nlgq, so we may take 3 > ym. From 
now on, m and @ will always satisfy these contraints. 

Ajtai [3] first showed that solving SISg.m,s (on the av- 
erage) is as hard as approximating certain problems (e.g., 
SIVP and GapSVP) on any lattice of dimension n to within 
poly(n) factors. Using Gaussian techniques, Micciancio and 
Regev [40] improved the approximation factors to as small as 
O(n). In the full version [26], we give a simpler and slightly 
tighter proof of this fact that employs our discrete Gaussian 
sampling algorithm, and which works for smaller q. 


PROPOSITION 5.2. For any poly-bounded m, 3 = poly(n) 
and for any prime q > B-w(/nlogn), the average-case 
problem S|Sq¢,m,g is as hard as approximating the SIVP prob- 
lem (among others) in the worst case to within certain y = 


B- O(n) factors. 


5.2 Trapdoor Functions 


A collection of trapdoor collision-resistant hash functions 
with preimage sampling is given by probabilistic polynomial- 
time algorithms (TrapGen, SampleDom, SamplePre) that sat- 
isfy the following: 


1. Generating a function with trapdoor: TrapGen(1”) out- e The trapdoor inversion algorithm on (A, T, s, u) sam- 


puts (a,t), where a is the description of an efficiently- ples from få (u) as follows: first, choose via linear 
computable function fa : Dn —> Rn (for some efficiently- algebra an arbitrary t € Z™ such that At = u mod q 
recognizable domain Dn and range Rn depending on (such a t exists for all but an at most q`” fraction of 
n), and t is some trapdoor information for fa. A, by Proposition 5.1). Then sample v ~ D44 s,—t 


For the remainder, fix some (a, t) — TrapGen(1”). using SampleD(T, s, —t), and output e = t + v. 


We stress that it is important to sample the input from the 
discrete Gaussian Dzm „s, rather than (say) sampling from a 
continuous Gaussian over R™ (with parameter s) and round- 
ing off each coordinate to the nearest integer. The reason 
is that the inversion algorithm samples a preimage from the 
former distribution (conditioned on a particular output), 
and the latter distribution differs from the former by non- 
negligible statistical distance (see the discussion at the be- 
ginning of Section 4). 


2. Domain sampling and uniform output: SampleDom(1”) 
samples an x from some (possibly non-uniform) distri- 
bution over Dn, for which the distribution of fa(x) is 
uniform over Rn. 


3. Preimage sampling with trapdoor: for every y € Rn, 
SamplePre(t, y) samples from the conditional distribu- 
tion of x — SampleDom(1”), given fa(x) = y. 


4. Preimage min-entropy: for every y € Rn, the con- 
ditional min-entropy of x <— SampleDom(1”) given 
falx) = y is at least w(logn). (In fact, one bit of 
min-entropy suffices for many applications.) 


THEOREM 5.4. The algorithms above give a collection of 
trapdoor collision-resistant hash functions with preimage sam- 
pling if S\ISgm sym i8 hard. 


Proor. First we note that s > L-w(/logm) > ne(A*) 


5. Collision-resistance without trapdoor: for any prob- for some negligible e(n) by Lemma 3.1, because L > IT|]. 
abilistic poly-time algorithm A, the probability that We start with domain sampling. A sample e ~ Dgm s 
A(1”,a) outputs distinct x, x’ € Dn such that fa(x) = lands in the domain D, (except with exponentially small 
fa(x’) is negligible, where the probability is taken over probability) by Lemma 2.5. Furthermore, for an overwhelm- 
the choice of a and A’s random coins. ing fraction of A, fa(e) is statistically close to uniform over 


Rn by Corollary 5.1. 

We now show preimage sampling. Because s > ||'T|| - 
w(/logm), Theorem 4.1 implies that SampleD samples from 
a distribution that is statistically close to D44 , 4. Then 
by Proposition 5.1, the inverter samples from the appropri- 
ate conditional distribution. It also follows immediately by 
Lemma 2.6 that the preimage min-entropy is at least m — 1. 

Finally, for collision resistance, a collision e,e’ € Dn for 
fa implies A(e—e’) = 0 mod q. Because ||e — e’|| < 2s,/m 
by the triangle inequality and e — e’ Æ O because e,e’ are 
distinct, finding a collision in a random fa implies solving 


SIS m,2sym- 
6. SIGNATURE SCHEMES 


To be completely precise, the trapdoor functions we con- 
struct will only satisfy the above properties statistically, i.e., 
with overwhelming probability over the choice of a and the 
randomness of SampleDom, etc. None of these relaxations 
will affect security in our applications. 

We now recall the result of Ajtai [4] that shows how to 
sample an essentially uniform A € Zj*™, along with a 
relatively short full-rank “trapdoor” set of lattice vectors 
SCA*(A). 


PROPOSITION 5.3. ([4]). For any prime q = poly(n) and 
any m > 5nlgq, there is a probabilistic polynomial-time al- 
gorithm that, on input 1", outputs a matriz A E€ Z7*™ and a 
full-rank set S C A+(A), where the distribution of A is sta- 


tistically close to uniform over Z2*™ and ||S|| < L = meS. Here we show that “hash-and-sign” signature schemes orig- 
By Lemma 2.1, the set S can be converted efficiently to a inally defined for collections of trapdoor permutations can 
“good” basis T of A+ (A) such that ITI z IIŠII <L. also be instantiated securely using our notion of trapdoor 
functions with preimage sampling. In fact, we are even 
By optimizing Ajtai’s construction and its analysis, the able to give a tight security reduction for the full-domain 
bound L on the length ||S|| of the short set can be improved hash scheme (FDH) by exploiting collision resistance. This 
to L = m!* for any e > 0; we defer the details. stands in constrast to the best known reductions for FDH 
We can now define a collection of trapdoor functions with using trapdoor permutations: for trapdoor permutations 
preimage sampling based on the average-case hardness of treated as a black-box, the reduction must lose a factor of 
SIS. Let g, m, and L be as in Proposition 5.3. The col- Qhash [23]; for RSA and claw-free permutations, the known 
lection is parameterized by some Gaussian parameter s > reductions still lose a factor of Qsign [19, 23]). In addition, 
L-w(/logm). all of our instantiations are strongly unforgeable. 
In this extended abstract, we restrict our attention to an 
e The function generator uses the algorithm from Propo- instantiation of FDH. In the full version [26], we analyze 
sition 5.3 to choose (A, T), where A € Zu” is sta- probabilistic variants of FDH and a variant of the Bellare- 
tistically close to uniform and T C A+(A) is a good Micali scheme [10] in the plain model. 
basis with ITI < L. The matrix A (and q) defines the For security, the signer must give out at most one dis- 
function fa(-), and the good basis T is its trapdoor. tinct signature for each message. This can be implemented 
by making the signer stateful, or by using a pseudoran- 
e The function fa is defined as fa(e) = Ae mod gq, dom function (e.g., the random oracle itself) to implement 
with domain Dn = {e € Z™ : |lel] < sym} and range “repeatable randomness” in a standard way. For simplic- 
Rn = Zg. The input distribution is Dzm,,, sampled ity, we describe the stateful version of the scheme. It uses 
using SampleD with the standard basis for Z™. (as a black-box) a collection of trapdoor collision-resistant 
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hash functions with preimage sampling given by TrapGen, 
SampleDom, SamplePre, and operates relative to a function 
H = H, : {0,1}* — Rn that is modelled as a random ora- 
cle. Recall that D, and Rn are the efficiently-recognizable 
domain and range, respectively, of the trapdoor collection 
for security parameter n. 


e SigKeyGen(1”): let (a,t) — TrapGen(1”), where a de- 
scribes a function fa and t is its trapdoor. The verifi- 
cation key is a and the signing key is t. 


e Sign(t,m): if (m,om) is in local storage, output om. 
Else, let om < SamplePre(t,H(m)), store (M, om), 
and output om. 


e Verify(a, m, o): if o € Dn and falo) 
Else, reject. 


H(m), accept. 


PROPOSITION 6.1. The scheme described above is strongly 
existentially unforgeable under a chosen-message attack. 


PROOF. It is clear that the scheme is complete, by the 
properties of the trapdoor collection. 

Assume, for contradiction, that there is an adversary A 
that breaks the existential unforgeability of the signature 
scheme with probability € = e(n). We construct a poly-time 
adversary S that breaks the trapdoor collision-resistant hash 
function with probability negligibly close to e. Given an in- 
dex a describing a function fa, S runs A on public key a, 
and simulates the random oracle H and signing oracle as 
follows. Without loss of generality, assume that A queries 
H on every message m before making a signing query on m. 


e For every query to H on a distinct m € {0,1}*, S lets 
Om <— SampleDom(1"), stores (m, om), and returns 
fa(om) to A. (If H was previously queried on m, S 
looks up (Mm, om) and returns fa(om).) 


e Whenever A makes a signing query on m, S looks up 
(Mm, om) in its local storage and returns om. 


Without loss of generality, assume that before outputting 
its attempted forgery (m*,o*), A queries H on m*. When A 
produces (m*,o*), S looks up (m*,om*) in its local storage 
and outputs (o0*,om*) as a collision in fa. 

In the full version [26], we rigorously analyze the reduc- 
tion and show that S outputs a collision with probability 
negligibly close to e(n). Essentially, the properties of the 
trapdoor family ensure that the view provided by S to A is 
statistically close to that of the real chosen-message attack. 
Furthermore, if A produces a valid forgery (m*,o*), then 
fa(o*) = H(m*) = fa(om*) and o* 4 om~» with overwhelm- 
ing probability, so o*,@m* is a collision in fa. 


7. IDENTITY-BASED ENCRYPTION 


Here we construct an identity-based encryption (IBE) sys- 
tem based on the LWE problem in the random oracle model, 
or under an “interactive” assumption on LWE in the plain 
model. The IBE scheme follows from two steps. The first is 
a public-key cryptosystem with “dense” public keys; namely, 
every syndrome in Z% is a valid public key having many 
essentially equivalent secret keys. (This cryptosystem is es- 
sentially the “dual” of Regev’s [52].) The second component 
is a way to extract a properly-distributed secret key from 
any public key, using a master trapdoor. 
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For simplicity, we describe a single-bit public-key cryp- 
tosystem, which operates in the following setting. An index 
A €Zj*"™ for the function fa (e) = Ae mod q is chosen uni- 
formly at random and shared by all users. A user’s secret key 
is ane € Z™ chosen from Dzm s (the input distribution for 
fa), and the user’s public key is the syndrome u = fa(e). 
The encryption and decryption algorithm work as follows, 
where x is the error distribution for the LWE problem: 


e Enc(u, b): to encrypt a bit b € {0,1}, choose s — Zj 
uniformly and p = ATs +x € Zg , where x — x™. 
Output the ciphertext (p,c = ufs +£ +b- |q/2]) € 


Zg X Zq, where x — x. 


e Dec(e, (p,c)): compute b' = c — ep € Z4. Output 0 
if b’ is closer to 0 than to |¢/2| modulo q, otherwise 
output 1. 


In the IBE, the authority chooses the master public key A 
together with a trapdoor basis T (the master secret key) as 
described in Proposition 5.3. A hash function H : {0,1}* — 
Zq maps identities to public keys. To encrypt to an iden- 
tity id, simply encrypt to the public key u = AH (id) using 
the above system. To extract a secret key for identity id, 
the authority uses the trapdoor T to sample a secret key 
e — fa (H(id)). The authority should either be stateful or 
use a pseudorandom function in a standard way, so that the 
same secret key is always returned for the same identity (as 
in the FDH signature scheme of Section 6). A proof of the 
following theorem is given in the full version [26]. 


THEOREM 7.1. Let parameters q > 5(m+1)L-w(,/log m) 
and m satisfy the hypotheses of Proposition 5.3, and let the 
error distribution x = Ya fora <1/(L/m+1-w(logm)). 

Then the above cryptosystem and IBE are correct (with 
overwhelming probability), CPA-secure, and anonymous, as- 
suming that LWE; is hard and H is modelled as a random 
oracle. 


The cryptosystem and IBE can easily be extended to en- 
crypt messages of length k = poly(n) bits, with ciphertexts 
of O(m + k) bits and public keys of size O(kn) bits. The 
idea is to include k independent syndromes uj,..., Ux in the 
public key, and to encrypt to each of them using the same 
random s € Zg and independent error terms xz; — x. (This 
technique is similar to an amortized construction from [48] 
for Regev’s original system, and to the IBE from [15]). For 
k = Q(m), this yields amortized encryption and decryption 
time of O(n) per message bit, and a ciphertext expansion 
factor of O(logn). It is also possible to encrypt Q(logn) 
bits per syndrome under essentially the same assumption 
on LWE, which yields a ciphertext expansion factor of O(1). 

Finally, we remark that instead of modelling H as a ran- 
dom oracle, we can also construct an IBE and prove its se- 
curity under an “interactive” assumption about the hardness 
of LWE in the presence of a (stateful) oracle that returns a 
sample from f,'(H(éd)) for arbitrary id queries. (A similar 
assumption on quadratic residuosity was used for the IBE 
of [15].) The full description and proof are given in the full 
version [26]. 
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